<html>
<head><meta charset="utf-8"><title>Muckable Pitfall - No Quick Answers · project-safe-transmute · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/index.html">project-safe-transmute</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Muckable.20Pitfall.20-.20No.20Quick.20Answers.html">Muckable Pitfall - No Quick Answers</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="218332628"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Muckable%20Pitfall%20-%20No%20Quick%20Answers/near/218332628" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jack Wrenn <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Muckable.20Pitfall.20-.20No.20Quick.20Answers.html#218332628">(Nov 30 2020 at 19:21)</a>:</h4>
<p>The foundation API can be used to <em>very quickly</em> audit/improve the safety of unsafe code. For instance, I can ensure all of the transmutations in my module are safe by simply replacing <code>mem::transmute</code> invocations with invocations of:</p>
<div class="codehilite" data-code-language="Rust"><pre><span></span><code><span class="k">pub</span><span class="w"> </span><span class="kr">macro</span><span class="w"> </span><span class="n">transmute</span><span class="p">(</span><span class="cp">$expr</span>: <span class="nc">expr</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w">    </span><span class="p">{</span><span class="w"> </span><span class="k">struct</span> <span class="nc">Here</span><span class="p">;</span><span class="w"> </span><span class="n">TransmuteFrom</span>::<span class="o">&lt;</span><span class="n">_</span><span class="p">,</span><span class="w"> </span><span class="n">Here</span><span class="o">&gt;</span>::<span class="n">transmute_from</span><span class="p">(</span><span class="cp">$expr</span><span class="p">)</span><span class="w"> </span><span class="p">}</span><span class="w"></span>
<span class="p">}</span><span class="w"></span>
</code></pre></div>
<p><em>Without</em> the foundational API—and <em>only</em> having the <code>Muckable</code> abstraction—this isn't possible. The <code>Muckable</code>-based abstraction requires carefully-considered <code>Muckable</code> trait implementations on all involved types. Realizing these implementations correctly might require refactoring these types and anything that touches their fields. (Doing so might <em>introduce</em> unsafety.) At worst, the newtype hack might be simply inapplicable (more on this in a future topic), and the problem is intractable. </p>
<p>Again: the right thing to do should be the easy thing to do.</p>



<a name="218334562"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Muckable%20Pitfall%20-%20No%20Quick%20Answers/near/218334562" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jack Wrenn <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Muckable.20Pitfall.20-.20No.20Quick.20Answers.html#218334562">(Nov 30 2020 at 19:35)</a>:</h4>
<p>This matters beyond <code>mem::transmute</code>. For instance, I'd really like to experiment with safe union accesses next. With the scope-aware foundational API, I can prototype safe union accesses as an automatic, local program transformation. </p>
<p>Without it, I'd need to automatically generate sound <code>Muckable</code> impls non-locally, which probably isn't tractable.</p>



<a name="218621825"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Muckable%20Pitfall%20-%20No%20Quick%20Answers/near/218621825" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Quy Nguyen <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Muckable.20Pitfall.20-.20No.20Quick.20Answers.html#218621825">(Dec 02 2020 at 21:24)</a>:</h4>
<p>While thinking about <code>Scope</code>, one thing is that it allows you to easily ignore invariants.  For example:</p>
<div class="codehilite"><pre><span></span><code>//inside say mod.rs

// must be negative
struct Foo {
a: i32
}
</code></pre></div>
<p>Even though unsafe fields have been rejected because unsafety taints everything that is visible, I don't know if conflating identical structs is something we necessarily want. Casting a <code>[u8; 4]</code> to <code>Foo</code>  is very likely not what you want to do. Now under the strict <code>unsafe taints a whole module</code> rules that argued against unsafe fields - this API is sound. But I don't think its very helpful to be able for reasoning. </p>
<p>I myself don't see a problem with this given that unsafe fields are basically dead, but I do bemoan the rule where unsafe code can be a safe <code>fn</code> if its inside a module.</p>



<a name="218622322"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Muckable%20Pitfall%20-%20No%20Quick%20Answers/near/218622322" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jack Wrenn <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Muckable.20Pitfall.20-.20No.20Quick.20Answers.html#218622322">(Dec 02 2020 at 21:28)</a>:</h4>
<p>It allows you to ignore invariants to the same extent that direct field access does. This can lead to pitfalls, but it's also genuinely useful. Whether you want to cast a <code>[u8;4]</code> to <code>Foo</code> depends hugely on why you're doing it! Are you writing deserialization code for your trait? Initializing a temporary invalid value that you'll soon overwrite? (If you're diligent about checking invariants, your temporary default value perhaps <em>should</em> be invalid so your <code>debug_assert</code>s catch if you don't overwrite it!)</p>



<a name="218622514"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Muckable%20Pitfall%20-%20No%20Quick%20Answers/near/218622514" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jack Wrenn <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Muckable.20Pitfall.20-.20No.20Quick.20Answers.html#218622514">(Dec 02 2020 at 21:30)</a>:</h4>
<p>Ultimately, I'd like to provide an API that can quickly be integrated into existing, real-world code that follows the standard-albeit-coarse rules of safety.</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>